Skip to content

Commit

Permalink
Merge pull request #28 from krolow/feature/add-support-to-password
Browse files Browse the repository at this point in the history 
Add support to protected keys
  • Loading branch information
@krolow
krolow authored Nov 25, 2016
2 parents 6597c10 + 189fc02 commit fe150c4
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 8 deletions.
11 changes: 11 additions & 0 deletions ONVAULT
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,13 @@ set -e
# allow overriding default VAULT_SSH_KEY at runtime
: ${VAULT_SSH_KEY:=id_rsa}

# parse arguments
while [[ "$#" > 1 ]]; do case $1 in
--disable-pwd) DISABLE_PASSWORD="$2";;
*) break;;
esac; shift; shift
done

log () {
GREEN='\033[1;32m'
NC='\033[0m' # No Color
Expand Down Expand Up @@ -59,6 +66,10 @@ if curl -s "${VAULT_URI}/_ping"; then
echo -e "\nHost *\nIdentityFile ~/.ssh/$VAULT_SSH_KEY" >> ~/.ssh/config
fi

if [[ "$DISABLE_PASSWORD" != "" ]]; then
ssh-keygen -p -P $DISABLE_PASSWORD -N "" -f ~/.ssh/$VAULT_SSH_KEY
fi

# restore 'no_proxy' for executing the actual command
export no_proxy="$no_proxy_old"

Expand Down
19 changes: 11 additions & 8 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,15 @@ IdentityFile ~/.ssh/myprivatehost_key
# otherwise will use the id_rsa key for any other host
```

#### SSH key password/passphrase

If your key is protected by passphrase, you can pass to ONVAULT the passphrase, so it before use the key will remove the
password at the container.

```
ONVAULT --disable-pwd %password% npm install
```

#### Symlinks

In case you have symlink for any ssh file. Will be necessary map the volume of the symlink destination into the docker vault server. Otherwise will not be possible to resolve the symlink while copying the ssh files with the `ONVAULT` command.
Expand Down Expand Up @@ -154,14 +163,8 @@ docker-compose up vault

## Drawbacks

A Dockerfile using this technique requires the special **vault service** running. Meaning it is not possible to run any build process at the [Docker Hub](https://hub.docker.com/).

Also note that password protected SSH keys will not work. If you use SSH verbosity will get an error like this:

```
debug1: read_passphrase: can't open /dev/tty: No such device or address
Host key verification failed.
```
A Dockerfile using this technique requires the special **vault service** running. Meaning it is not possible to run any
build process at the [Docker Hub](https://hub.docker.com/).

As the **vault service** is not running an `ssh-agent` (instead copying the contents of files), the password cannot be entered prior to execution.

Expand Down

0 comments on commit fe150c4

Please sign in to comment.